Build It And They Will Snoop

Late last month a Montreal homicide detective was found guilty of accessing a police database to pass citizens’ information to an organized crime ring to help it ship stolen vehicles overseas. We always keep an eye on these kinds of stories because abuse is one of the risks that is created by governments’ collection of personal data on citizens at all levels. These include records containing sensitive medical and employment history, contact details like email addresses or phone numbers, and even bank and credit card information. But when proponents argue for new databases, the fact that at least some of these records are almost certain to be exposed by crooked insiders is rarely accounted for.

One case resulted in years of harassment. Earlier this year Minnesota’s CityPages.com reported that the DMV record of a former female police officer had been illegally accessed 425 times by 104 officers in 18 different agencies across the state. The violations—which took place over several years—led to the woman being stalked, harassed, embarrassed, and ultimately resulted in her having to leave town to try to reclaim her privacy.

While illegally accessing someone’s driver’s license may seem harmless, this woman’s circumstances quickly became scary, according to CityPages.com. First she started receiving unsolicited date offers from other officers. One day she received an invitation to go sailing from a cop she had met briefly years before. Thinking that was strangely forward of someone she barely knew, she replied that he must have the wrong person named Anne. He wrote back: "I've definitely got the right Anne." Later, when she tried to break up with a guy she had gone out with a few times, he got mad and started driving by her house and calling repeatedly. When confronted, he revealed that a cop friend of his had "filled him in" on her past, her dating life, and even the kind of car she was driving. Not long after this, she left town. "I just wanted some privacy," she says. "I didn't know what more to do."

Her fellow officers were treating her official driving record like it was a Facebook profile, and the incident is not isolated. One officer said the practice is commonplace. "I get Anne's side of it," he said. "But every single cop in the state has done this. Chiefs on down."

In 2003 CDT did a survey of local news coverage to see just how widespread internal abuse at DMVs was and found:

• Dozens, if not hundreds, of cases of identity theft tied back to internal fraud and bad security practices.

These abuses are not limited to cops and DMVs. In 2010, a breach that has been linked to Utah’s Department of Workforce Services, where a large number of employees had access to this database, allowed anti-immigration activists to post and circulate the names, Social Security numbers, medical information, addresses, workplaces, and phone numbers of 1,300 alleged undocumented immigrants in Utah. And this past April an IRS worker was accused of (and is expected to plead guilty to) charges of illegally snooping into the records of family members she had lost touch with, including her ex-husband.

Despite rules, audits, and other safeguards meant to protect individuals’ privacy, personal information is constantly accessed improperly. To mitigate these risks we need strict data retention rules so that only what is absolutely necessary is collected and the information is held only as long as necessary. While the collection of certain information is needed at times, we also need to recognize that abuse will always be a temptation, and take steps to protect our privacy from this threat.